CVE-2009-1955
published 2009-06-08CVE-2009-1955: The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache…
high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EXPLOIT
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | apr-util | < 1.3.7 | 1.3.7 |
| apache | apr-util | >= 0 < 1.3.7+dfsg-1 | 1.3.7+dfsg-1 |
| apache | apr-util | >= 0 < 1.3.7+dfsg-1 | 1.3.7+dfsg-1 |
| apache | apr-util | >= 0 < 1.3.7+dfsg-1 | 1.3.7+dfsg-1 |
| apache | apr-util | >= 0 < 1.3.7+dfsg-1 | 1.3.7+dfsg-1 |
| apache | http_server | >= 2.2.0 < 2.2.12 | 2.2.12 |
| apple | mac_os_x | < 10.6.2 | 10.6.2 |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | apr-util | < apr-util 1.3.7+dfsg-1 (bookworm) | apr-util 1.3.7+dfsg-1 (bookworm) |
| debian | apr-util | — | — |
| debian | debian_linux | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| redhat | enterprise_linux | — | — |
| suse | linux_enterprise_server | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv6.5MEDIUM